HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)
c
compartments(4) compartments(4)
Interface lan0 is assigned to compartment LAN0, IP address range 192.168.0.0/16 is assigned
to compartment IP_16, IP address range 192.0.0.0/8 is assigned to compartment IP_8, and IP
address 192.168.0.0 is assigned to compartment IP.
Note that IPv4 address 192.168.0.0 belongs to all these ranges specified in the rules for IP_8,
IP_16, and IP. If the interface lan0 is assigned an address of 192.168.0.0, there is an additional
conflict.
Such conflicts are resolved as follows:
• An IP address or address range assignment has higher precedence than a name assignment. For
instance, if lan0 is assigned an IP address of 192.200.1.1, it would belong to compartment IP_8, not
LAN0.
• A rule specifying a more specific IP address range has a precedence over a less specific IP address
range. For instance, if lan1 is assigned 192.168.0.1, it would belong to compartment IP_16, not to
IP_8.
• A rule with an exact IP address has a higher precedence than other precedence rules. If lan0 were
assigned an address of 192.168.0.0, it would have a compartment of IP.
MULTIBIND
Previous versions of HP-UX, have allowed a process to bind to a port on an interface through which it can-
not communicate. This, of course, had the side effect of potentially preventing other (more legitimate)
processes from using the port on that interface; thus, effectively hijacking the port.
In this release, this limitation is removed. In particular, if a compartment has no access to an interface,
then processes in that compartment cannot hijack any ports on that interface.
This is referred to as multibind feature. To fully utilize this feature, the compartments must be configured
such that there is no interface that is accessible unless it can be used for communication.
For instance, if compartment X has access to interface lan0 only and compartment Y has access to interface
lan1 only, then processes in either compartment cannot hijack ports from a process in another compart-
ment.
However, if X is allowed to access even a single port of lan1, it may be able to hijack all ports of lan1. The
current implementation is actually a bit more generous: if X is allowed to access only tcp ports of lan1, it
can hijack all tcp ports (but not udp ports) of lan1. Similarly, if X is allowed to access only udp ports of
lan1, it can hijack only udp ports (but not tcp ports) of lan1.
However, this is an implementation detail and applications should not depend on that. If the processes in X
need to be protected from processes Y hijacking the ports or vice-versa, configure network rules and inter-
face rules such that no interface is accessible from both compartments on any protocol.
WARNINGS
The rules generated in
discover mode are only suggestive in nature and need to be verified.
The rules may be redundant (for example, identical rules may be generated for a parent directory and for
subdirectory instead of relying on rule inheritance), may be correct yet meaningless (for example, a file per-
mission of create on a file), and may be insufficient (for example, a network rule may be created only for
a specific anonymous port instead of the entire anonymous port range). The rules also may be insufficient
especially when a given file has multiple pathnames via hardlinks (the discover mode may add rules
only for one of the paths or may add conflicting rules for different paths).
Also, the disallowed privileges rule is not generated in discover mode.
If the setrules command happens to fail at boot, it could leave the databases inconsistent and lead to
unexpected errors from getrules command. Hence it is recommended to use the preview option
available in setrules to correct such errors and reboot the system.
Since the network interfaces are usable only when assigned to a compartment, every active interface must
belong to a compartment for normal operation. If none of the configured interfaces are assigned to any
compartment, inability to communicate can hang the system when trying to start services like nfs, send-
mail
, and so on, at boot time.
It is adviced to have same access rule for all the ports in the anonymous port range. (The anonymous port
range is configurable using the ndd command.) If not all rules are identical, and a process that uses auto-
bind to obtain a port number, the system may reject such a bind request or may assign a port number that
does not allow it to communicate.
62 Hewlett-Packard Company − 6 − HP-UX 11i Version 3: February 2007